U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:fortinet:fortimanager:5.4.0:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 13 matching records.
Displaying matches 1 through 13.
Vuln ID Summary CVSS Severity
CVE-2021-36170

An information disclosure vulnerability [CWE-200] in FortiAnalyzerVM and FortiManagerVM versions 7.0.0 and 6.4.6 and below may allow an authenticated attacker to read the FortiCloud credentials which were used to activate the trial license in cleartext.

Published: October 06, 2021; 6:15:07 AM -0400
V3.1: 3.2 LOW
V2.0: 2.1 LOW
CVE-2021-24017

An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler.

Published: September 30, 2021; 12:15:07 PM -0400
V3.1: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2021-24016

An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.

Published: September 30, 2021; 12:15:07 PM -0400
V3.1: 6.3 MEDIUM
V2.0: 9.3 HIGH
CVE-2021-32597

Multiple improper neutralization of input during web page generation (CWE-79) in FortiManager and FortiAnalyzer versions 7.0.0, 6.4.5 and below, 6.2.7 and below user interface, may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious payload in GET parameters.

Published: August 06, 2021; 7:15:07 AM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2020-9289

Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6.2.3 and below, FortiAnalyzer 6.2.3 and below may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key.

Published: June 16, 2020; 5:15:11 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2019-17657

An Uncontrolled Resource Consumption vulnerability in Fortinet FortiSwitch below 3.6.11, 6.0.6 and 6.2.2, FortiAnalyzer below 6.2.3, FortiManager below 6.2.3 and FortiAP-S/W2 below 6.2.2 may allow an attacker to cause admin webUI denial of service (DoS) via handling special crafted HTTP requests/responses in pieces slowly, as demonstrated by Slow HTTP DoS Attacks.

Published: April 07, 2020; 2:15:13 PM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2019-17654

An Insufficient Verification of Data Authenticity vulnerability in FortiManager 6.2.1, 6.2.0, 6.0.6 and below may allow an unauthenticated attacker to perform a Cross-Site WebSocket Hijacking (CSWSH) attack.

Published: March 15, 2020; 7:15:11 PM -0400
V3.1: 8.8 HIGH
V2.0: 6.8 MEDIUM
CVE-2018-13375

An Improper Neutralization of Script-Related HTML Tags in Fortinet FortiAnalyzer 5.6.0 and below and FortiManager 5.6.0 and below allows an attacker to send DHCP request containing malicious scripts in the HOSTNAME parameter. The malicious script code is executed while viewing the logs in FortiAnalyzer and FortiManager (with FortiAnalyzer feature enabled).

Published: May 28, 2019; 3:29:00 PM -0400
V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2018-1360

A cleartext transmission of sensitive information vulnerability in Fortinet FortiManager 5.2.0 through 5.2.7, 5.4.0 and 5.4.1 may allow an unauthenticated attacker in a man in the middle position to retrieve the admin password via intercepting REST API JSON responses.

Published: April 25, 2019; 2:29:00 PM -0400
V3.0: 8.1 HIGH
V2.0: 4.3 MEDIUM
CVE-2018-1353

An information disclosure vulnerability in Fortinet FortiManager 6.0.1 and below versions allows a standard user with adom assignment read the interface settings of vdoms unrelated to the assigned adom.

Published: September 05, 2018; 9:29:00 AM -0400
V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2018-1351

A Cross-site Scripting (XSS) vulnerability in Fortinet FortiManager 6.0.0, 5.6.6 and below versions allows attacker to execute HTML/javascript code via managed remote devices CLI commands by viewing the remote device CLI config installation log.

Published: June 28, 2018; 11:29:00 AM -0400
V3.0: 4.8 MEDIUM
V2.0: 3.5 LOW
CVE-2018-1355

An open redirect vulnerability in Fortinet FortiManager 6.0.0, 5.6.5 and below versions, FortiAnalyzer 6.0.0, 5.6.5 and below versions allows attacker to inject script code during converting a HTML table to a PDF document under the FortiView feature. An attacker may be able to social engineer an authenticated user into generating a PDF file containing injected malicious URLs.

Published: June 27, 2018; 4:29:04 PM -0400
V3.0: 6.1 MEDIUM
V2.0: 5.8 MEDIUM
CVE-2018-1354

An improper access control vulnerability in Fortinet FortiManager 6.0.0, 5.6.5 and below versions, FortiAnalyzer 6.0.0, 5.6.5 and below versions allows a regular user edit the avatar picture of other users with arbitrary content.

Published: June 27, 2018; 4:29:03 PM -0400
V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM